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(57) Abstraet: In a peer-to-peer network having a plurality of 
user terminals, each capable of serving as a user authentication 
site for other terminals of the network and having an open side 
of a firewall and a secure side of the firewall, a method for au- 
thenticating a user. A user authentication database is stored in 
memories in the secure side of first and second terminals of the 
network. The first terminal receives a password from the user, 
and translates the password into an authentication encryption key 
for the user. The first terminal generates a first random number, 
encrypts the first random number with the authentication encryp- 
tion key to provide a first encrypted message, and transmits the 
first encrypted message to the second terminal, which serves as 
a user authentication site for the first terminal. The user authen- 
tication site decrypts the encrypted first message to provide the 
first random number, and generates a second random number, 
which is transmitted to the first terminal. The first terminal com- 
bines and encrypts the first and second random numbers, with 
the authentication encryption key, to provide a second encrypted 
message. The first terminal transmits the second encrypted mes- 
sage to the user authentication site, which decrypts the encrypted 
second message to provide the combined first and second random 
numbers. The user authentication site verifies that the first and 
second random numbers are correct, and authenticates the user 
in accordance with this verification. 
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PPTFTR.TO-PRF1R. NETWORK USER AUTHENTICATION PROTOCOL 

CROSS-REFERENCES TO HUT ATED APPLICATIONS 

5 This nonprovisional U.S. national application, filed under 35 U.S.C. 

§ 111(a), claims, under 37 C.F.R, § 1.78(a)(3), the benefit of the filing date of 
provisional U.S. national application no. 60/148,624, attorney docket no. 
SAR13431P, filed on 08/12/99 under 35 U.S.C. § 111(b), the entirety of which is 
incorporated herein by reference. 
10 Government Interests 

This invention was at least partially supported by U.S. Army CECOM 
Government Contract No. DAAB07-97-C-D607. The government may have 
certain rights in this invention. 

BACKGROUND OF THE INVENTION 
15 Fjftjfl flf the Invention 

The present invention relates to computer networks and, in particular, 
to systems and methods for authentication of users seeking access to the 
network. 

Description of the Related Art 

20 Computer networks are widely used. These include private networks 

such as local-area networks ("LANs"), wide-area networks ("WANs"), and 
the Internet. The network consists of a variety of nodes, interconnected by 
transmission media. Some nodes may be terminals and/or personal 
computers ("PCs") by which a user gains access to the network. Other 

25 network nodes are functional units such as routers, servers, and the like. 
Various communications media are used to interconnect the nodes of a 
network, such as fiber-optic cables, Integrated Services Digital Network 
("ISDN"), wireless links, and the like. As will be understood, various nodes 
of a networked computer system may be connected through a variety of 

30 communication media. 

A given private network is typically maintained and operated by a 
specific company, where access to the networkis limited to authorized users. 
In order to limit access to authorized users, networks are often configured 
to "authenticate" a user attempting to access the network, to ensure that the 
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user is an authorized user. The authentication procedure is thus designed 
to ensure that only authorized (authenticated) users Eire allowed to access the 
network. The simplest form of authentication requires a username or user 
ED, and password to gain access to a particular account. Authentication 
5 protocols can also be based on secret-key encryption or on public-key systems 
using digital signatures. In some networks, in order to maintain network 
access control, users are required to be periodically re-authenticatedto retain 
network access. The authentication process authenticates an authorized 
user. The outcome of the authentication can be said to be successful if the 
10 user is successfully authenticated, i.e. authorized to access the network. The 
authentication fails if the user is not granted authorization to access the 
network. 

Conventional authentication procedures, however, may be subject to 
infiltration by unauthorized users, or other forms of "attack". The attack may 

15 permit substitute or false information to be inserted into the network, or 
delivered from the network, or it may otherwise permit the unauthorized 
user to gain access to the network, further allowing them to perform a range 
of hostile acts. If authentication information resides in the memory of a 
network terminal, whether mobile, wireless, or fixed, it may be possible for 

20 an unauthorized user to attack the memory to acquire the authentication 
information, and thus access to the system. 

For example, in a network with mobile users (i.e., wireless, mobile 
terminals), there may be opportunity for user terminals to fall into 
unauthorized hands in which the terminal memory may be attacked. If the 

25 hacker acquires authentication information stored in the memory of the 
terminal, this may be used to gain unauthorized access of the network. Also, 
some networks and authentication procedures are vulnerable to so-called 
"man-in-the-middle" attacks. In this kind of an attack, an unauthorized user 
interferes with the initial public key exchange, by intercepting the very first 

30 message to a new correspondent (e.g., from the terminal to some 
authentication server of the network) and substituting a bogus public key for 
the genuine public key. 

A "self-forming" or peer-to-peer type network is often used. In such a 
network, all users are peers and there is no central network controller. 
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Rather, every computer (node) can share files and peripherals with all other 
computers on the network, given that all are granted access privileges. In 
such a network, because there is no dedicated, central network controller, 
authentication information is distributed to many terminals in the network 
5 and any terminal may be called on to authenticate a user. Since the 
authentication database is distributed, it is subject to a wider range of attacks 
than a network where there is a well-protected central authentication site. 
There is, therefore, a need for improved authentication systems and 
techniques which do not suffer the foregoing disadvantages and problems. 

10 ffriTfimary 

In a peer-to-peer network having a plurality of user terminals, each 
capable of serving as a user authentication site for other terminals of the 
network and having an open side of a firewall and a secure side of the 
firewall, a method for authenticating a user. A user authentication database 

15 is stored in memories in the secure side of first and second terminals of the 
network. The first terminal receives a password from the user, and 
translates the password into an authentication encryption key for the user. 
The first terminal generates a first random number, encrypts the first 
random number with the authentication encryption key to provide a first 

20 encrypted message, and transmits the first encrypted message to the second 
terminal, which serves as a user authentication site for the first terminal. 
The user authentication site decrypts the encrypted first message to provide 
the first random number, and generates a second random number, which 
is transmitted to the first terminal. The first terminal combines and 

25 encrypts the first and second random numbers, with the authentication 
encryption key, to provide a second encrypted message. - The first terminal 
transmits the second encrypted message to the user authentication site, 
which decrypts the encrypted second message to provide the combined first 
and second random numbers. The user authentication site verifies that the 

30 first and second random numbers are correct, and authenticates the user in 
accordance with this verification. 



WO 01/13201 PCT/USO0/21965 

4 

Brief Desmntirm of thft Hrawing^ 
These and other features, aspects, and advantages of the present 
invention will become more fully apparent from the following description, 
appended claims, and accompanying drawings in which: 
5 Fig. 1 is a block diagram of a computer network in accordance with an 

embodiment of the present invention; and 

Fig. 2 is a flow chart illustrating the authentication protocol of the 
network of Fig. 1, in accordance with an embodiment of the present 
invention. 

10 Description of the Preferred Embodiment 

The present invention provides an authentication protocol designed to 
prevent unauthorized entities from gaining access to a peer-to-peer network 
either by obtaining authentication information through communications 
attack or by gaining access to a network terminal. In the present invention, 

15 only information personally retained by an authorized user may be used for 
authentication. Because the network is a peer-to-peer network, multiple 
terminals must store a user authentication database which is distributed 
throughout the network. Some terminals of the network thus can double as 
a user terminal and as a user authentication site for another terminal. The. 

20 authentication protocol of the present invention protects against an 
unauthorized user gaining access through a terminal, despite the 
authentication information stored on the terminal. In addition, the 
authentication protocol of the present invention is not susceptible to a man-in - 
the-middle attack. 

25 Referring now to Fig. 1, there is shown a block diagram of a computer 

network system 100 in accordance with an embodiment of the present 
invention. Network 100 includes a first user terminal 110, and a user 
authentication site 120, interconnected by a communications or transmission 
channel 125, which may be a LAN, fiber optic, wireless, or other digital 

30 communications means. User terminal 110 maybe a PC at a fixed location, 
a remote PC connected to authentication site 120 by a telephone or other link, 
or a mobile unit connected by a wireless link. Terminal 110 contains a 
processor 117 and memory 112 which stores a local copy of a distributed user 
authentication database. User authentication site 120 may be another user 
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terminal, or a dedicated piece of hardware, a PC, or even a site manned by 
human operators. In an embodiment, network 100 comprises a plurality of 
user terminals which can also perform user authentication for other user 
terminals. Network 100 may also contain dedicated user terminals that 
5 cannot provide user authentication, and dedicated user authentication sites 
that are not user terminals. 

Each authorized user of network 100 is assigned a unique password, 
and an authentication encryption and decryption key pair. A given user's 
authentication encryption key is the outcome of applying a specified 

10 encryption-key generation algorithm to the user's password. The user's 
authentication decryption key is the key that can decrypt messages encrypted 
using the user's authentication encryption key. These keys are used only for 
authentication and no other purpose, such as data encryption/decryption. 
User authentication information for all authorized users of the network is 

15 maintained in a distributed user authentication database, which is 
distributed among and stored on several user terminals of network 100, such 
as terminals 110, 120. The database contains authentication information for 
each user, such as the user's authentication encryption and decryption keys, 
password, and other information about the user, such as the user's security 

20 clearance, authority to access the network (access authority). 

In some embodiments, each user may also have a Smart Card with 
personal information pre-encrypted with the user's individual authentication 
encryption key. Each user may also have health sensors mounted on his 
body, for additional security. 

25 Thus, as illustrated, every user terminal that can perform 

authentication for other terminals stores a local copy of the user 
authentication database. This database is stored in a memory 112, 122 on the 
secure side 114, 124 of a firewall 111, 121. All terminals of network 100, such 
as terminals 110, 120, have a firewall (e.g., Ill) where the user enters and 

30 receives data from the open side 113 and all authentication information is on 
the secure side 114. Since each terminal 110 may serve as a relay for network 
traffic for other terminals, the transmitter, receiver, and all network traffic 
are on the secure side. The terminal's secure side is protected against both 
physical and software attacks. The local copy of the distributed user 
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authentication database stored in each terminal's memory 112 are all present 
and potential users' individual authentication encryption and decryption 
keys, which are used only for authentication, and for no other purpose. The 
distributed user authentication database is maintained autonomously by the 
5 secure side of the network 100. Any terminal with a user authentication 
database can serve as a user authentication site for one or more other 
terminals. Thus, the second user terminal can serve as a user 
authentication site 120 for first user terminal 110, which itself can serve as 
a user authentication site for terminal 120 or other terminals of network 100. 

10 Each user terminal, such as user terminal 110, has a means of 

translating the user's password to the user's individual encryption key. For 
example, user terminal 110 contains processor 117 and the above-mentioned 
encryption-key generation algorithm. User terminal 110 also has the ability 
to generate random numbers, and to encrypt a given message with the user's 

15 individual authentication encryption key. Thus, if the user provides a 
password to terminal 110, terminal 110 can run the encryption-key 
generation algorithm using the password as input, to generate the user's 
authentication encryption key. It can then generate a random number and 
use the authentication encryption key to encrypt the random number, to 

20 provide an encrypted random number (which is also a random number). 
The password, random number, authentication encryption key, encrypted 
messages, and received messages, can be stored by terminal 110 temporarily 
in memory 112. In some embodiments, a terminal 110 can be equipped with 
sensors to read and transmit the user's Smart Card information, health 

25 sensors, and/or an iris recognition device, for additional security. 

In an embodiment, a terminal only grants access to a user who inserts 
his smart card and then enters the appropriate user ID and password. The 
user's password and smart card data are the only authentication data that 
may pass through the firewall. Terminal access is denied if the user is de- 

30 authenticated by any user authentication site. 

Terminals of network 100 are configured such that only certain 
specially-designated users have read/write access to the user authentication 
database stored in the terminal's memory 112. For example, in a military 
context, each soldier of a squad may have a wireless, mobile user terminal 
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110, and a designated communications expert of the squad may be designated 
as having the authority to have read and/or read/write access to the database 
in memory 112 of his user terminal. Other soldiers are not designated. In 
an embodiment, the user authentication database stored in a terminal's 
5 memory is destroyed (e.g., the memory is erased) under certain conditions, 
for example where a non-designated user attempts to access the database, or 
where a suspicious or non-standard attempt is made to access the database. 
The database may also be destroyed if the terminal detects a physical attack, 
e.g. opening the physical case of the terminal. In an embodiment, if a 
10 terminal's user is de-authenticated (fails an authentication process), the 
user authentication database residing in that terminal's memory 112 is 
destroyed. 

Also, in some embodiments, there may be provided a specific 
user/terminal detachment procedure. For example, the user/terminal 

15 detachment procedure may specify that the user has to first enter a 
detachment code, then log off, and then remove his smart card from a smart 
card port in the terminal 110. If terminal 110 detects detachment without the 
detachment procedure being followed, it destroys the user authentication 
database in memory 112. 

20 During use, each terminal 110 is connected to the network and permits 

the authenticated user to access the network. In an embodiment, users are 
required to wear health sensors and the terminal contains health sensor 
detectors that continually or periodically monitor the user's health. Thus, in 
this embodiment, if at any time during a session user terminal 110 detects 

25 that the user is unable to conduct a terminal session, based on status from 
the health sensors (e.g. the user has been killed), this information is 
transmitted to the user authentication site 120 and the latter withdraws 
authentication. Alternatively, terminal 110 directly withdraws 
authentication and/or removes itself from the network 100. 

30 In an embodiment, in order to maintain terminal and network access, 

the user's health sensors must indicate to terminal 110 that the user is alive. 
If the health sensors indicate that the user has died, the terminal 110 detects 
this, de-authenticates the user, and automatically transmits this information 
to other user authentication sites to update the user authentication database. 
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Thus, in the present invention, because a peer-to-peer network is used, 
user terminals must also store user authentication database so they can 
function as user authentication sites. However, to prevent an unauthorized 
person who gains access to the terminal from being able to access the 
5 network or acquire the user authentication database by attacking the 
terminal's memory, each terminal places all authentication information 
behind a firewall and does not in general permit its user to access this 
database. Also, a user cannot be authenticated by his terminal He can only 
be authenticated by one or more other terminals. Thus, when a user 
10 attempts to access user terminal 110, user terminal 110 requests another 
terminal, e.g. terminal 120, to serve as a .user authentication site. Also, if a 
user accesses a terminal other than the one assigned to him he must be re- 
authenticated. 

Further, in an embodiment, re-authentication of all users is conducted 

1 5 periodically. For example, after some time, terminal 120 or another terminal 
may notice, e.g. from inspecting its own local copy of user the authentication 
database, that a time out period has elapsed since the user of terminal 110 
has last been authenticated. It can then initiate the next scheduled re- 
authentication. A re-authentication procedure may also be initiated by any 

20 terminal if it suspects that another user has been killed or captured or 
another terminal has been captured. Also, in an embodiment, if a terminal 
is detached from its user, even according to the detachment protocol, it 
removes itself from the network for further security. 

Referring now to Fig. 2, there is shown a flow chart illustrating the 

25 network user authentication protocol method 200 of network 100, in 
accordance with an embodiment of the present invention. First, a user 
initiates access of a user terminal 110 (step 201). Alternatively, if a user has 
been using a given terminal 110 for some time, after a timeout, 
authentication site 120 notifies user terminal 110 to re-authenticate the user 

30 (step 203). Authentication site 120 may also initiate re-authenticatioh if it 
suspects that the user of terminal 110 has been killed or captured or that 
terminal 110 has been captured. Terminal 110 then notifies the user to enter 
a user ID and password, for example within a given time period (step 205). 
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In the case of re-authentication, step 205 may involve issuing an 
Authentication Warning to the user, which may be in the form of a visual, 
auditory, or skin sensation message. Also, in the case of re-authentication 
in which the user is currently engaged in a session, the terminal 110 may 
5 still have user ID stored, in which case it need only prompt the user for the 
password. 

In an embodiment, in the case of authentication of a new user, the 
user must first insert his smart card into terminal 110. In the case of re- 
authentication of a currently-authenticated user, the user is already logged 

10 onto his terminal 110 with his smart card in place. In this embodiment, the 
smart card must be in place and the information thereon read and verified 
in order to continue with or maintain authentication. In alternative 
embodiments, the authentication protocol of the present invention does not 
require a smart card. 

15 The user presumably will only have a password if he is an authorized 

user. In this case, the authorized user enters his user ID and password (step 
207), within a specified timeout period if this is required in step 205. 
Terminal 110 then generates the user's authentication encryption key by 
translating the password into this key with the encryption-key generation 

20 algorithm (209). Thus, the user need not ever possess or even know his 
authentication encryption key, but only his password (and ID). 

Terminal 110 also generates a first random number (step 211), and 
then encrypts this random number using the user's authentication 
encryption key (step 213). The user terminal then notifies the user 

25 authentication site 120 of the user's identity and transmits the encrypted 
random number to user authentication site 120 (step 215). In an 
embodiment, the authentication site is notified of the user's identity by 
transmitting the user ID to the authentication site. The user ID is preferably 
first encrypted with the user's authentication encryption key and then the 

30 encrypted ID is transmitted to authentication site 120. Authentication site 
120 can then exhaustively decrypt the received encrypted message, with every 
possible authentication decryption key, until there is produced a user ID 
which matches a valid user ED of the network (and which also matches the 
user ID of the decryption key used to successfully decrypt the message). 
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Thus, once authentication site 120 has successfully decrypted the user ID 
message, it knows the user ID and thus which authentication decryption key 
to use to decrypt subsequent encrypted messages transmitted during the 
authentication process. In an embodiment, the user terminal 10 ID is also 
5 encrypted and transmitted to authentication site 120 along with the user ID. 
In the case of re-authentication, the encrypting and sending of the user ID 
can be skipped; or, for convenience and simplicity, it can still be transmitted, 
but the authentication site 120 can in this case simply use the already- 
determined decryption key to decrypt the encrypted user ID, rather than 

10 perform an exhaustive decryption. 

After decrypting the encrypted user ID message, authentication site 
120 receives the encrypted first random number. User authentication site 120 
decrypts this message with the particular user's authentication decryption 
key, to provide the original first random number (step 217). User 

15 authentication site 120 then generates a second random number, and 
transmits it to user terminal 110 (step 219). In an alternative embodiment, 
an encrypted version of the second random number is transmitted to user 
terminal 110, in which a second encryption/decryption key pair is utilized. 
At this point in time, user authentication site 120 knows the identity of 

20 the user and/or his password, that user's authentication 
encryption/decryption keys (or at least the decryption key), and the first and 
second random numbers. The user terminal 110 only temporarily, during 
the authentication process, stores the user's password and authentication 
encryption key. 

25 After receiving the second random number from authentication site 

120, the user's terminal 110 combines and encrypts both random numbers 
with the user's authentication encryption key and transmits this message to 
the user authentication site (step 221). The two random numbers may be 
combined in a variety of specified ways, e.g. adding, subtracting, 

30 multiplying, concatenating strings, and so forth, so long as the technique 
used by user terminal 110 is known to user authentication site 120. The 
combining technique used is preferably set apriori and specified as part of the 
authentication protocol of the present invention. 
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The user authentication site 120 thus receives an encrypted message, 
which is an encrypted version of the combined two random numbers, and 
decrypts this message using the user's authentication decryption key. 
Authentication site 120 then verifies that both random numbers are correct. 
5 If so, there has been no man-in-the-middle attack. At this point, 
authentication site 120 knows the identity of the user attempting to gain 
access. If the user's identify and access authority permit network access, 
authentication site 120 authenticates the user by transmittingthe appropriate 
authentication message to terminal 110 and allowing network resources to 

10 be used by the user from user terminal 110, in accordance with the user's 
level of access authority (step 223). If the user is a new user, he is 
authenticated, or denied access if the authentication fails. In the case of re- 
authentication, the user is re-authenticated, or authentication is withdrawn 
if the authentication fails. 

15 If the user is authenticated, and new transport and message keys are 

required, a new method of obtaining them from the terminal's clock is sent 
to terminal 110. If he is not authenticated, the user authentication site 
indicates to all other users on the network that he is de-authenticatedand all 
communications to and from him are terminated. Terminal access is also 

20 denied. The distributed user authentication database is updated to indicate 
the de-authentication, and every local copy is updated accordingly as the 
update is distributed through the network. 

In an embodiment, as described above, user authentication site 120 
may also query user terminal 110 for Smart Card information, the status of 

25 the user's health, and/or iris recognition information. This information may 
be used for additional security by authentication site 120, in step 223, in 
verifying the user's identity and ability to conduct a terminal session. 
Whether authentication fails or is successful, the user terminal 110 in both 
cases erases the user's password and authentication encryption key from its 

30 memory 112 immediately after the authentication process is completed (step 
225), for extra security, even though the memory 112 maintains a copy of the 
entire user authentication database. ^ 

As will be understood, the term "user" as used herein refers to a 
person either attempting to gain access, or already having access, to the 
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network 100 via a user terminal 110. Thus a prospective user as well as one 
already authorized by an authentication process is a user. 

As will be appreciated, the authentication protocol of the present 
invention is not vulnerable to a man-in-the-middle attack. Further, 
5 authentication data security is attained by not permitting individual terminal 
users to access the authentication information residing on the secure side of 
any user terminal 110. Having another terminal, e.g. user authentication 
site 120, control access to user terminal 110 attains terminal access and 
security. 

10 It will be understood that various changes in the details, materials, 

and arrangements of the parts which have been described and illustrated 
above in order to explain the nature of this invention may be made by those 
skilled in the art without departing from the principle and scope of the 
invention as recited in the following claims. 
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What is claimed is: 

1. In a peer-to-peer network (100) having a plurality of user terminals 
(110, 120), a method for authenticating a user, comprising the steps of: 

(a) storing, in a memory (112) on a secure side (114) of a first terminal 
5 (110) and in a memory (122) on a secure side (124) of a second 

terminal (120), a user authentication database; 

(b) receiving (207), at the first terminal of the network, a password 

from a user; 

(c) translating (209) the password into an authentication encryption 
10 key for the user; and 

(d) using (211-225)the authentication encryption key to authenticate the 

user with the second terminal serving as a user authentication 
site for the first terminal. 

15 2. The method of claim 1, wherein step (d) comprises the steps of: 

(1) generating (211), with the first terminal, a first random 

number; 

(2) encrypting (213) the first random number with the 

authentication encryption key to provide a first encrypted 
20 message and transmitting (215) the first encrypted 

message from the first terminal to the user 
authentication site; 

(3) decrypting (217), at the user authentication site, the 

encrypted first message to provide the first random 
25 number; 

(4) generating (219), with the user authentication site, a second 

random number and transmitting the second random 
number to the first terminal; 

(5) combining and encrypting (221), with the first terminal, the 
30 first and second random numbers to provide a second 

encrypted message and transmitting the second 
encrypted message from the first terminal to the user 
authentication site; 
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(6) decrypting (223), at the user authentication site, the 

encrypted second message to provide the combined first 
and second random numbers; 

(7) verifying that the first and second random numbers are 
5 correct; and 

(8) authenticatingthe user in accordance with said verification. 



3. The method of claim 2, comprising the further step of erasing (225) 
from the first terminal the password after the user authentication, whether 

0 the authentication is successful or not. 

4. The method of claim 2, wherein: 

step (b) comprises the further step of receiving (207), at the first 
terminal, a user ID from the user; 
5 step (dX2) comprises the further step of encrypting the user ED with the 

authentication encryption key to provide an encrypted user ID 
message and transmitting (215) the encrypted use ID message 
from the first terminal to the user authentication site; and 
step (d)(3) comprises the further step of decrypting, at the user 
authentication site, the encrypted user ID message with valid 
authentication decryption keys until a decrypted user ID is 
produced which matches a valid user ID of the network, step 
(d)(3) further comprising the step of decrypting the encrypted 
first message with the authentication decryption key used to 
successfully decrypt the encrypted user ID message, to provide 
the first random number. 

5. The method of claim 2, wherein step (d)(8) comprises the step of 
authenticating (223) the user if the first and second numbers are correct and 
if the user has authority to access the network. 

6. The method of claim 2, further comprising the steps of reading, 
with a health sensor, the user's health status, transmitting said health 
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status to the user authentication site, and authenticating the user in 
accordance with said health status and said verification of step (d)(7). 

7. The method of claim 2, further comprising the steps of querying, 
5 with the authentication site, the first terminal to read user information from 

a user smart card and authenticating the user in accordance with said user 
information and said verification of step (d)(7). 

8. The method of claim 1, wherein step (b) comprises the steps of: 

10 notifying (205) the user, with the terminal, to enter a user ID and the 

password when one of (1) a new user initiates (201) access of the 
terminal and (2) the authentication site notifies (203) the 
terminal when being used to re-authenticate after a time-out; 
and 

15 receiving, at the first terminal, the user ID from the user. 

9. The method of claim 1, comprising the further step preventing the 
user from accessing the secure side of the first terminal unless the user is a 
designated user. 

20 
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